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Specification 

FRANKING METHOD AND APPARATUS 

5 The invention concerns a method for machine franking of postal matter and for 
checking the franking according to the preamble of claim 1 as well as a method 
according to the preamble of claim 1 1 . The invention moreover concerns a system 
for the implementation of such a method according to the preamble of claim 12 as 
well as a franking machine for the machine franking of postal matter according to 
10 the preamble of claim 15. 

Like many other concerns, postal services in many countries of the world are 
increasingly conducting commerce in an electronic way, what is referred to as 
electronic commerce (e-commerce). Traditionally, large concerns use franking 

1 5 machines for franking their postal matter. Such franking machines are licensed to 
registered persons and require a specific connection to the postal service in order to 
be able to reload postage fees for the franking. In such a closed franking system, 
mechanical franking machines are reloaded with physical jetons (tokens) or the 
connections to the postal service via a special line or the telephone line exist in 

20 electronic franking machines in order to be able to download postage fees from a 
fee computer there. Such franking machines are only sold or leased to registered 
customers, and an inspection by the postal services is required at regular intervals. 

Since smaller companies and offices have also in the meanwhile allocated adequate 
25 computer capacity on computers and printers is available in a simple and 

advantageous way, franking systems are being increasingly employed with which 
postage fees can be downloaded from the postal service via open networks such as 
the Internet and that require no special hardware with a regular inspection 
requirement. Given such (what are referred to as) open franking systems, a 
30 traditional PC can be used for downloading the postage fees and a standard printer 
can be used for printing a fee stamp on an envelope or on a label. 
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The U.S. Postal Service has specified a system architecture for open and closed 
franking systems. Such a system is known, for example, from US 5,825,893. 
Each user thereby has a physical, optimally breach-proof security device on which 
5 all postage fees of the user provided for the franking are stored. This security 
device (PSD = Postal Security Device) can be arranged inside or outside the 
franking machine or the computer. A fee counter and a user-associated encryption 
module with which the fee stamp and a further machine-readable date stamp (what 
are referred to as "indicia") are generated are essentially arranged in a secured 

10 device. For franking a piece postal good [sic], such an indicium is generated by 
the security device from the postage fee to be franked, an identification code of the 
security device, the sender address, the current fee counter state and, potentially, 
further data by means of a signature code. This indicium is then encoded in a two- 
dimensional bar code and printed onto the postal matter so that it can be scanned 

15 and inspected in a simple and dependable way by a checking device of the postal 
service. The internal postage fee counter of the franking machine is subsequently 
diminished by the amount of postage that has been used. 

Since the users of open franking systems are not registered and the hardware that is 
20 employed is not subject to any regular inspections by the postal service, such 

franking systems must be protected against fraud to a more significant degree than 
closed franking systems. However, they must also be clearly cheaper in order to 
be able to penetrate into the mass market. The invention is therefore based on the 
object to achieve a franking method, a franking system, and a franking machine 
25 which exhibit high security against fraud given simultaneously low costs. 

These objects are achieved by the methods according to claim 1 and claim 1 1 , by 
the system according to claim 12 or, respectively, by the franking machine 
according to claim 15. 

30 
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The invention is thereby based on the idea that fraud by multiple use of postage 
fees and/or multiple use of date stamps can be prevented in that the machine- 
readable date stamp applied onto the postal matter in the franking is encoded 
and/or designed such that it can be unambiguously differentiated from other 
5 employed date stamps. The date stamp hereby contains the imprint and/or value of 
an electronic coin individualized for the present franking. While standard money, 
for example coins and bank notes, are in fact standard payment means, the purpose 
of the payment, however, cannot be seen from them. Given the present invention, 
however, money that has been individualized for the present franking - referred to 

10 below as electronic coin - is generated with the franking, whereby this electronic 
coin not only contains a monetary value - such as, for example, the postage value - 
but moreover also contains data individualized to the franking so that a double 
generation of an electronic coin is precluded. The electronic coin is represented on 
the postal matter by a date stamp which, in addition to the postage value 

1 5 specification, contains further particulars identifying the electronic coin, which 
particulars are machine-readable. The postal service can thereby check by means 
of a checking device whether a date stamp has already been employed and, for 
example, has been cut out by a defrauder and glued onto a new letter. The multiple 
employment of postage fees that are stored and debited in electronic form in such 

20 franking systems can thereby be detected since it can be recognized using the date 
stamp whether it has been generated by means a postage that has already been 
consumed. Insofar as the originator of the date stamp is contained in the date 
stamp (in non-manipulable (encrypted) form), the defrauder can be identified in 
this case. In both instances, the postal matter franked with such fraudulent means 

25 can be precluded from further conveyance. 

Compared to known solutions, the inventive solution exhibits the advantages that 
no additional hardware (such as a described security device) is hereby required for 
the storing and accounting of the postage fees and for storing a user-individual 
30 signature key and can be realized on a conventional computer as a pure software 
solution. Further, it is not absolutely necessary that data about the user are 



3 



contained in the date stamp, so that the user cannot be indicated from the date 
stamp, whereby the anonymity of the user is preserved. It is also not required that, 
in addition to the user and the postal service, a third person - as monitoring entity - 
monitors the franking event and the accounting of the postage fees online as in 
5 some known solutions; rather, a franking can ensue at any time and without 
intervention of such a monitoring entity. Overall, with the inventive solution a 
high security standard similar to as with cryptographically secure electronic 
payment systems is achieved. 

10 In one embodiment of the inventive method, it is provided that the inspection 
ensues via comparisons of the date stamp to be inspected with used date stamps 
stored in a data bank. The comparison check of the date stamp to be inspected is 
equivalent with the comparison test of generated electronic coins. Since an 
individual date stamp (thus also an individual electronic coin individualizing the 

1 5 piece of mail) is generated for each piece of mail, this represents a simple . 

realization of the inspection, whereby the data bank is stored in a suitable storage 
device in the inspection device. Since, however, data banks do not exhibit 
unlimited storage space in practice, the embodiment according to claim 3 is very 
advantageous. Each data stamp thereby comprises an expiration date, i.e. a date in 

20 the future of the date of the production of the date stamp until when the date stamp 
(or, respectively, the electronic coin) is valid and up to which, for example, the 
piece of mail is also carried. This time span can, for example, amount to a 
standard fourteen days for all users and all date stamps (or, respectively, electronic 
coins). This means that an electronic coin whose expiration has already expired as 

25 of the inspection can be separated out in a first stage of the inspection, and that 

only those used electronic coins need remain stored in the data bank that have been 
inspected in this time span calculated from the date of the inspection, thus in the 
last fourteen days in the example. For example, storage space in the data bank can 
thereby be made available again every day by erasing the date stamp or, 

30 respectively, electronic coins having the oldest inspection dates. 
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The development of the invention according to claim 4 represents one possibility 
via which an inspection for multiple employment of postage fees can ensue. The 
developments according to claims 5 and 6 essentially serve operating convenience, 
in that the user can compile the postage fee to be franked from individual postage 
5 fee units or can subdivide a larger postage fee unit into small sub-units. 

In order, on the one hand, to enable he cited inspection of postage fees for multiple 
employment and, on the other hand, to prevent defrauders from producing their 
own postage fee units without paying for them, according to the development 
according to claim 7 an individual encoding of the postage fee units with a secret 
key is provided by the postal service. This encoding, which turns out differently 
for each postage fee unit, is also found again in the date stamp applied onto the 
postal matter, on date stamp a multiple usage of postal fee units can thus be 
detected. 

According to a preferred development of the invention, the production date and 
production time, the franked postage fee and the addressee of the postal matter are 
contained in non-manipulable form in the date stamp. However, it can also be 
provided that other and/or further data such as, for example, the sender, his address 
or an expiration date for the postage fee are also contained. 

For capacity reasons it can be provided that not all frankings and date stamps are 
inspected. It can thus be provided that the inspection is only implemented in the 
fashion of spot checks, that not all inspected date stamps are stored in the data 
25 bank or that a date stamp to be inspected is only compared with a part of the date 
stamps stored in the data bank for reasons of time. In order to nonetheless prevent 
that fee stamp and date stamp are separated from or cut off from a conveyed piece 
of mail or copied by means of a copier and simply glued or copied onto the postal 
matter to be franked, further postal matter data can be incorporated in the date 
30 stamp in the development of claim 9. These postal matter data can quasi-serve as 
an individual fingerprint of the postal matter to be franked and thus turn out 
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differently for each piece of mail. For example, the surface structure (surface fiber 
structure, roughness of the surface) of the packaging material or of the envelope or 
another measurable property that individualizes the individual piece of mail (such 
as, for example, the exact weight) can be employed as postal matter data, these 
5 being either input by the user or automatically measured in the franking by means 
of a measuring device integrated into the franking machine. 

Proceeding from this consideration, it can also be provided according to claim 10 
that these postal matter data are artificially added to the postal matter in the form of 

10 label data situated on a label. Such a label can, for example, carry a hologram or a 
barcode whose data are integrated in the data stamp as postal matter data. Via the 
measures according to claims 9 and 10, it is achieved that a date stamp must also 
belong to the postal matter franked therewith and not be employed for some other 
postal matter which comprises different postal matter data. This can be established 

15 in the inspection of the date stamp insofar as the inspection means is suitably 

fashioned for measuring the postal matter data of the postal matter to be inspected, 
and these measured postal data are then compared with the postal matter data 
contained in the date stamp. 

20 The method according to claim 1 1 , which can be executed on an individual 

franking machine, can be developed in embodiments like the method described 
above. The system specified in claims 12 through 14 for the implementation of the 
method according to claim 1 as well as the franking machine specified in claims 1 5 
and 16 can also be configured in a corresponding way. 

25 

The invention is explained in greater detail in the following by way of example 
with reference to the drawings. Shown are: 

Figure 1 the block diagram of an inventive franking system; 

30 

Figure 2 a postal good franked according to the inventive method; 
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Figure 3 the protocol processed to open a postal fee account; 

Figure 4 the protocol processed to download a postage fee unit; 

5 

Figure 5 the protocol processed for generating a date stamp; 



Figure 6 the protocol processed for detecting duplicate use of a postage fee 

unit, [sic] 

10 

Figure 7 shows an exemplary imprint (of a date stamp or, respectively, of an 

electronic coin) with a data matrix of 40 x 40 elements. 



The franking and mail-carrying system shown in Figure 1 comprises a postal 
15 service 1, a franking machine 2 and a mail-carrying service 3. The postal service 1 
essentially comprises a postage fee device 1 1 for outputting and accounting of 
postage fee units and an inspection device 13 for inspecting and devaluing 
frankings. The postage fee device 1 1, which need not necessarily be arranged in a 
post office but rather can, for example, also be localized by a third party or on the 
20 Internet, provides postage fee units for franking postal matter that can be purchased 
or electronically downloaded at any time by the user of a franking machine. The 
postage fee units (i.e. electronic coins) are generated by means of a device 12 upon 
output; the debiting and accounting ensue by means of an accounting device 15. 



25 The franking machine 2 comprises a central unit 21 and a printer unit 22 which, in 
an open franking system, can be realized by a standard PC and a standard printer. 
The central unit 21 comprises a fee module 23 that downloads the postage fee units 
from the postal service, stores them and internally debits them given a franking. 
The storing of postage fees can, for example, thereby ensue on the hard disk of the 

30 PC, on a chip card or on another storage medium. The accounting of postage fees 
with the postal service usually ensues upon download of postage fees from the 
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postal service 1, while the internal accounting ensues upon printout of a franking. 
The accounting with the postal service can thereby ensue by means of a separately 
established debiting account, by means of credit card, by electronic payment or by 
cash payment. In order to protect data for the generation of the date stamp when 
5 franking a piece of mail against manipulation, a cryptographic module 24 is also 
provided. Finally, for print control a print control module 25 is provided which 
controls the printer means 22. The fee stamp and the data stamp can either be 
printed directly on the postal matter or can be printed on a label to be glued onto 
the postal matter. The franked postal matter is subsequently conveyed by a mail- 

10 carrying service 3, whereby either there or in the postal service 1 (for example in a 
mail collecting center) it passes through an inspection device 1 3 where the 
franking is inspected and devalued. To this end, the inspection device 13 
comprises a memory device 14, wherein, in particular, used date stamps are stored 
with which a date stamp to be checked is compared. A connection between the 

15 postage fee device 1 1 and the inspection device 13 can also exist in order, for 

example, to keep accounts about used and devalued postage fee units and to assure 
that the inspection device 1 3 knows the encoding of postage fee units, which can 
change at regular time intervals. 

20 The franking, which comprises at least one fee stamp and a date stamp in the 

present case and is generally referred to as "indicium", should comprise at least the 
franked postage fee and an electronic signature for authorization of this postage 
fee. Additionally, further data can be provided in order to support specific 
functions of the mail-carrying system. For example, the delivery address can be 

25 contained in machine-readable form in order to enable automatic mail sorting. For 
anonymity reasons, the identity of the sender can thereby also be omitted. The 
machine-readable part of the franking can, for example, be printed in the form of a 
two-dimensional bar code. When a franking proves valid and sufficient, the postal 
matter is delivered to the corresponding recipient. 

30 
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Such a franking and mail-carrying system must be protected against fraud insofar 
as possible; fee accounts of users must be protected against unauthorized access; 
data protection and anonymity must be protected within certain limits, and other* 
security demands (that should be explained in detail in the following) must be 
5 taken into consideration. 

a) At any point in time, the mail-carrying system should only carry as much 
mail as is covered by paid fees. As a sub-criterion, the duplicate usage of 
postage fees should be prevented: after a user has downloaded postage fees 

10 in a value of x, he should be able to print out a maximum of fee stamps 

whose total value does not exceed the value x. In open franking systems, 
the recipient address and a time mark are usually already contained in the 
date stamp, so that a reuse of a franking that has already been employed is 
thereby largely precluded even without further cryptographic security 

15 measures. In closed franking systems in which the franking process is 

separate from the addressing process, such that the recipient address is 
usually not contained in the date stamp, copies of frankings can, however, 
be detected in that, as in the inventive system, frankings (i.e. the date stamp 
of a franking) is [sic] compared with frankings that have already been used 

20 and are stored in a data bank and is [sic] thereby inspected. When a date 

stamp is thereby detected a second time, the postal matter franked therewith 
can either be charged a punitive postage and sent back to the sender or can 
be precluded from mail-carrying. As a further protective measure against 
copying of frankings, the employment of red fluorescent ink (which can 

25 only be reproduced with difficult with conventional copiers) can be 

provided for the fee and/or date stamp. In order to identify a user who 
illegally employs a postage fee unit multiple times for franking, for 
example, it can also be provided that the date stamp contains data about this 
user in in [sic] non-manipulable form, for example the number of his 

30 postage fee account or a specific user code. 
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b) Insofar as it is possible using the date stamp to determine a user who 
illegally employs frankings and/or postage fee units multiple times, 
protective measures must be undertaken [sic] that a correctly behaving user 
is not erroneously accused of such misbehavior. 

c) Frankings should not reveal whether they originate from the same user 
except when the sender/user wishes this. Moreover, the user identity 
should also not derive from the franking in order to enable the anonymous 
dispatching of postal matter. Thus, a linking of date stamps by comparing 
the users should also be prevented. 

In addition to the described security demands, a franking system should also offer 
adequate operating convenience. After downloading postage fees in a value of x, 
the user should have the possibility to generate any desired fee value (maximally 
x). Moreover, the procedure of acquiring postage fee units and the generation of 
frankings should be independent of one another, such that an online connection to 
a postage fee means need not first be produced (as in known systems for 
generating a franking) in order to download a postage fee which is directly 
converted into a franking. The franking should thus also be possible offline and 
without intervention of a third party monitoring the franking and the accounting of 
the postage fees. 

With the inventive method and the shown inventive system, the described security 
demands and the described operating convenience can be achieved. Due to the 
individual design of the date stamp such that, for example, a different type of date 
stamp is required every day for each addressee, the duplicate usage of frankings 
can be largely precluded. A defrauder who has sent a postal item to a specific 
recipient could employ the franking employed for this a second time only for a 
second sending on the same day. Since it is also provided that the date stamps are 
compared in the inspection device with the date stamps already used and stored in 
the data bank and in [sic], frankings that are employed for a second time can be 
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detected with high reliability. When the generation of the date stamp is fashioned 
such that information about the identity of the user is contained therein, this user 
can also be determined in case of fraud. Since a code is also contained in the date 
stamp from which the postage fee units employed for generating the franking can 
5 be concluded, given this inspection it can also be established whether the 

corresponding postage fee units has [sic] already been used earlier for generation 
of a franking and therefore has [sic] been consumed. Since the postage fee units 
can also be acquired at any time and independent of the point in time of a franking 
to be undertaken and can be downloaded and can be both subdivided into smaller 
10 sub-units and combined into larger units, the required operating convenience is 
also achieved. 

In Fig. 2, a postal matter 8 (an envelope in the example) is shown with an inventive 
franking and addressing. This comprises an address field 81 for the addressing, an 

15 optional sender field 82 for the return address, a fee stamp 83, a date stamp 84 and 
a label 85. The label 85 is optional and quasi-serves as fingerprint for the piece of 
mail, to which end label data contained on the label are likewise contained in a 
non-manipulable form in the date stamp 84. It should thereby be prevented that the 
fee stamp 83 and the date stamp 84 are cut out or copied and glued onto another 

20 piece of mail and illegally reused. To that end, the label 85 would also have to be 
reused together with the date stamp 84, which label 85 can, for example, be 
designed such that it is destroyed upon separation and/or cannot be copied, such as, 
for example, holograms, watermarks, relief impressions, etc. [sic]. Moreover, the 
date stamp 84 can be fashioned such that it is machine-readable, the address of the 

25 addressee is contained and can be employed for machine sorting of the postal 

matter. In this case, the franking could also be employed only for a postal matter 
directed to one and the same addressee. The arrangement, size and design of the 
individual fields 81 through 85 can, of course, ensue differently from that shown. 

30 To explain individual events, protocols with individual protocol steps are shown in 
Figures 3 through 6. To understand these protocols, which are essentially based on 
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the difficulty of the calculation of discrete logarithms, some of the designations 
and definitions employed should be explained first. The designation manner is 
similar to the designation manner employed in US 5,521,980, in which an 
electronic payment system is described and which is herewith expressly referenced 
5 in view of further explanations of the designation manner and further definitions. 

It should be designated that: Z is the set of whole numbers, q is a prime number, G 
is a family of finite, multiplicative Abel groups G q of the order q. Furthermore, for 
a given group G q powers g x with (g e G q and x e Z) are defined by repeated 
10 multiplication in G q . For a given generator g of the group G q and an element z e 
G q , the smallest non-negative whole number is x, insofar as it satisfies z = g K 9 
discrete logarithm of z with respect to g. If general / generators g\ 9 ... 9 g/ e G q is 
given, this means that tuple ...,*/) that satisfies z = Tl f i=x g* 1 , a discrete 
representation of z with respect to gi ,...,#/. 

15 

Families of groups G q are used in the following that have efficient algorithms for 
multiplication of group elements, uniformly distributed, random selection of group 
elements and testing of two group elements for equality. Moreover, the calculation 
of discrete logarithms is difficult, i.e. not possible in polynomial time in the bit 
20 length of q. Although the last property has not hitherto been demonstrated for any 
family of groups, there are candidates to which these properties are ascribed after 
intense research over multiple decades. This is called the discrete logarithm 
assumption or discrete representation assumption. Both are equivalent. 

25 Large cyclical sub-groups of the multiplicative groups Z* of finite bodies of 

residues modulo of a large prime number p are one candidate. Here large means 
that p is at least 1024 bits long. Other candidates (that, however, have not been 
investigated as long) are families of specific elliptic curves, large sub-groups of 
elliptic curves to be more precise. The elliptic curves should not be super-singular 
30 and of a low family. There are concrete recommendations from, for example, the 
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National Institute of Standards and Technology (NIST) [NIST99] 
(http://csrc.nist.gov/engryption). The current state of research is that the 
calculation of discrete logarithms in the former candidate given a modulo length of 
1024 bits is about as difficult as the calculation of discrete logarithms in the latter 
5 candidate given a curve order of approximately 160 bits. The multiplicative 

notation of G q is employed below. This notation can be easily translated into the 
additive notation that is standard given elliptical curves, in that multiplications in 
G q are replaced by addition and powers in G q are replaced by scalar multiples of 
points of a curve. 

10 

The protocols shown in Figures 3 through 6 are written in the notations standard 
for algorithms: via a declaration and a definition. A protocol declaration that is 
respectively given in the first line of the Figure is composed of the formal output 
parameters, followed by an allocation arrow, followed by the protocol name and 

15 the formal input parameters in brackets. In order to improve the legibility, all 
input and output parameters of a participant are enclosed in square brackets, 
whereby the abbreviation of the participant (S for user, P for postage fee device) is 
attached to the brackets in superscript. Formal input parameters can be taken from 
one protocol participant alone or from all protocol participants in common. The 

20 former are called private inputs, the latter are called common inputs. A protocol 
definition ensues in matrix notation, whereby the actions of each participant are 
written in columns below one another and each column is headed by the participant 
name. Successive following actions of a participant can be combined into blocks. 

25 Protocol actions are written in the standard mathematical notation with a few 

specific symbols. The uniformly distributed, random selection of an element from 
a set A and the allocation of this element to a variable a is designated with a G/? A. 
The evaluation of an expression E and subsequent allocation of the result to a is 
designated with a <r E. H designates a pseudo-random hash function that returns a 

30 value from Z q after input of an arbitrary binary character sequence. It is allowed to 
write an H with an arbitrary number of arguments. In this case, the input to H is 
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the concatenation of the binary representations of all arguments. Arithmetic 
operations are written either in G qy i.e. multiplication mod p, or in Z q , i.e. addition 
and multiplication mod q. Multiplication and exponentiation G q are the most 
frequent operations in the following. This operation is written without the 
5 supplement "mod p". The addition and multiplication in Z q respectively receives 
the supplement "mod q" so that it is clear in every instance which operation is 
meant. If a participant of a protocol sends the value of its variable a to another 
participant, then an arrow — — > designated with a points from the column of the 
sending participant to the column of the receiving participant (see Fig. 3 and 4). 
10 Calls of protocols or algorithms are designated in the standard notation. The 

expression "proceed iff P" with P as a Boolean predicate denotes that the protocol 
implementation only proceeds if an only if P is valid. Otherwise the protocol is 
ended and the participants output a corresponding error message. 

15 In the following protocols, p designates a large prime number, q designates a large 
deviser of/?-l and G q references the unambiguous sub-group of the multiplicative 
group of the body Z p that has the order q. Furthermore, g h gi, G, Go are four 
generators of G q that are selected independent of one another and are uniformly 
distributed randomly at the system start. The postage fee device P selects a private 

20 key x e Z* randomly and with uniform distribution and calculates the 

corresponding public key y - g x mod p. Digital coins (also called "piece of 
postage" (PoP)) are tuples (A,B,<f), whereby A,BeG q and a = (z,a t b,r) are a digital 
signature from the range Go x Gq x Gq x Z q „ A digital coin is valid with respect 
to a public key y when it satisfies the following equation: 



25 



f \ 
verifyPoP{y,A,B(z,a,b 9 r))= G r = {ya x ) c b x a m r = (za 2 ) c b 



2 

K J 



(1) 



with c = H(A,B,z,a,b) 
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In their digital form, indicia or, respectively, date stamps are tuples 
{A.BXz.a.b^s^rcpt.d/t), whereby the first part (A,B,(z,a,b,r)) is a digital coin and 
the second part {s,rcpt,d/i) specifies the service that can be paid with this indicium, 
s e Z ? 3 is thereby an auxiliary value that enables the de-anonymization of the user 

5 in case of fraud, rcpt is the recipient and d/t is the date of creation and the creation 
time of the indicium. Further data about the source of the indicium can be added. 
A date stamp is valid when the following equation is satisfied: 

veriJyInd(y,A,B{z,a,b,r)s,rcpt 9 dlt)= (AB * 1 a gf'^G* 3 = AB C ) (2) 
10 with c = H(A,B,z,a,b,r,rcpt,d/t) 

A part of the protocol sequenced given the opening of a postage fee account is 
shown in Figure 3. Before a user S can open a postage fee account, he must select 

a private, digital identity (ul, u2) e Z q in a uniformly distributed and random 

15 manner and must select his associated public digital identity I = g\'gi 2 mod p. 

Subsequently, he identifies himself with respect to the postage fee device P (for 
example by means of an identification) and opens his electronic postage fee 
account. He employs his public digital identity / as an account number. As proof 
that / is his rightful public identity, he demonstrates that he knows a discrete 

20 representation of /with respect to the generators g\, gi (namely his private digital 
identity (mj, W2)) without showing this discrete representation to the postage fee 
device. This occurs in the blocks 41 through 44 in an interactive way between the 
user S and the postage fee means P. When the postage fee device accepts the 
identification and the protocol is successfully run (acc = True), a new postage fee 

25 account with number / is opened in the name of the user S. 

A protocol is shown in Figure 4 that is run for downloading of digital coins. A 
common input is the account number / and the public key y of the postage fee 
device. Private input of the postage fee device P is its private key x. Private input 
30 of the user S is his private digital identity (wi, w 2 ). First, the user demonstrates that 
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he possesses a discrete representation of /(Block 51). The protocol is shown in 
Figure 3. The postage fee device and the user take the common input / and the 
user takes his private digital identity (u\, uz) as private input. The user now selects 
two values w\ 9 w 2 e Z q in a uniformly distributed and random manner and 

5 calculates a g^ g™ 2 . This value a is sent to the postage fee device, which 

subsequently selects a value c un a uniformly distributed and random manner and 
sends it to the user. The user responds to this with the value pair (r\ 9 ri) = (cu\ + 
w\ mod q, cu 2 + wz mod q). In the event that the value pair returned by the user 

satisfies the equation g^g^ = h c a , the postage fee means accepts / as the public 

10 digital identity of the user and therewith as an account number. Next, the user 

selects the values w, v in a uniformly distributed and random manner according to 
block 52. At the same time, the postage fee device selects a value t and 
subsequently calculates the components z,a,b> according to block 53. The postage 
fee device sends z, a, b to the user. The user thereupon selects further values <o e 

15 Z* and a = (ai, az, (X3) e Z^ in a uniformly distributed and random manner. He 

then successively calculates the values /', z\ A \ B \ a \ b \ c \ c according to block 
54. Next, he sends the value c to the postage fee device that replies for the value r 
according to block 55. Finally, the user calculates the value r * and accepts the 
received digital coin (A \B\(z\a \b\rj) when it is valid (see Equation (1) above) 
20 with respect to the public key y of the postage fee device (see block 56). 

Moreover, the user stores the discrete representation a, B of A and B for the digital 
coin that was received. 

When the user wishes to frank a postal matter, he selects a suitable digital coin 
25 {A,B t (z t a t b,ry) and calculates the corresponding indicium. The recipient rcpt of the 
postal matter, the date and the time of the creation d/t of the indicium and, 
potentially, further relevant data enter into this calculation. In addition to the 
postage fee unit, the user must also input the corresponding, discrete 
representations a, B of A or, respectively, B. Figure 5 shows the calculations that 
30 the user implements (block 61). 
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When a postal item franked in this way arrives at the inspection device, the 
indicium can be verified according to the above equation (2). It is left to the 
discretion of the inspection device as to what quota of passing postal matter is 
5 inspected. When a user uses a received digital coin generate more than one 

indicium and therewith more than one franking even though the digital coin is only 
fashioned for franking a single piece of mail, then the inspection means can 
recognize this duplicate use with due to the fact that the components A, B have 
been used in an indicium that was inspected earlier. In this case, the two indicia 
10 are designated c\,C2 and the corresponding s-components are referenced as s\ = 
(s\\, s\2, s\i) and S2 = fob ^22 5 ^23)- The inspection device can now determine the 
private digital identity (1/1,^2) of the fraudulent user with the calculating steps 
shown in block 71 of Figure 6 and can determine the account number I = 

g\ l Si 2 mod p of the fraudulent user from this. 

15 

Given the inventive franking method and the inventive franking system, no 
additional hardware is required for a security device for securing and debiting 
postage fees; rather, the realization is possible by means of a traditional computer 
and printer. As a result thereof, such a system can be realized clearly more cost- 

20 effectively, for which reason the application is also of interest for a larger mass 
market. At the same time, however, high security demands are met. It is also 
possible to realize the critical method steps purely via software that can be 
exchanged and improved with simple means. It is also not required that each user 
possess his individual key pair, for example for a digital signature system. The 

25 users and the inspection device must merely know the public key of the postal 
service or, respectively, of the postage fee device. This, for example, can be 
published on an Internet page of the postal service, and the associated public 
certificates can be integrated in a standard web browser. In contrast thereto, each 
user possesses his own, individual signature key in the known solutions, which 

30 requires as a counter-move that the postal service must either administer and store 
the corresponding verification keys or that each date stamp must contain the 
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corresponding verification key and the verification certificate. When, given the 
known solutions, a defrauder succeeds in breaking the signature key of a security 
means of the user, he can arbitrarily generate frankings without risk of discovery. 
In contrast to this hardware protection in the known solutions which are intended 
5 to prevent the breach of the security device, a protection with cryptographic means 
is assured in the inventive solution. Moreover, further security demands and 
demands made of the operating convenience can be realized more simply and more 
cost-effectively in the inventive solution. 

1 0 Figure 7 shows a test imprint of a date stamp with a data matrix of 40 x 40 

elements, thus the smallest data set of the options cited in Table 1 . The printed 
date stamp is machine-readable and contains the electronic coin, its value as well 
as its expiration date as well as further particulars that individualize the franking. 
The data matrix 1 00 can, of course, also be formed of some other element number 

15 of mx x n elements. A standard advertising imprint is shown to the left next to the 
printed data matrix 100. 

A method for machine franking of postal matter and for inspecting the franking has 
been disclosed above. The inventive concept, however, can be utilized everywhere 

20 in electronic commerce (e-commerce, IE-cash systems); for example, it is possible 
without further measures that services such as, for example, the output of cards and 
tickets (theater tickets, travel tickets, etc.) can be handled by means of the 
invention in decentralized and open systems. If, for example, a travel ticket is 
generated by the user of the travel ticket himself, the travel ticket imprint contains 

25 all data of the travel ticket-individual electronic coin. Since each travel ticket is 
individualized, multiple employment of the travel ticket is precluded. 
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Claims 

1 . Method for machine franking of postal matter (8) and for inspecting the 
franking, whereby postage fees are stored debited in electronic form as electronic 

5 coins and whereby a machine-readable date stamp containing the electronic coin is 
applied onto the postal matter (8), whereby an individual electronic coin that can 
be differentiated from electronic coins generated for other pieces of mail is 
generated for each piece of mail, and an inspection for multiple employment of 
electronic coins and/or date stamps ensues on the basis of the date stamp (84) 
10 containing the electronic coin. 

2. Method according to claim 1, 

characterized in that the inspection ensues by comparing the electronic coin (84) to 
be inspected with a used electronic coin stored in a data bank (14). 

15 

3. Method according to claim 1 or 2, 

characterized in that each date stamp (8) or, respectively, the electronic coin 
contained therein contains an (individual) expiration. 

20 4. Method according to claim 3, 

characterized in that electronic coins that have already been used and that are only 
valid up to a maximum expiration date are stored in the data bank (14). 

5. Method according to one of the preceding claims, 

25 characterized in that the postage fees that represent an electronic coin are stored as 
postage fee units, whereby each postage fee unit comprises a postal matter- 
individual encoding, and in that the encoding is employed in the generation of the 
electronic coin for a postal item (8) such that, using the date stamp (84), it can be 
checked whether a postage fee unit or, respectively, electronic coin has already 

30 been employed for franking postal matter. 
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6. Method according to claim 5, 

characterized in that a plurality of postage fee units can be combined for franking a 
postal item (8) and/or a postage fee unit can be composed of a plurality of 
electronic coins. 

5 

7. Method according to one of the preceding claims, 

characterized in that the electronic coin only authenticates very specific data. 

8. Method according to one of the preceding claims, 

10 characterized in that the postage fee units are divided into a plurality of sub-units, 
and in that the sub-units can be employed for franking different pieces of postal 
matter. 

9. Method according to one of the preceding claims, 

1 5 characterized in that the generation of the postage fee units ensues given their 
purchase from a postage fee device by means of a a (secret) key known only to 
said postage fee device. 

10. Method according to one of the preceding claims, 

20 characterized in that the creation date and creation time, the franked postage fee 
and/or the addressee of the postal matter (8) are contained (in non-manipulable) 
form in the date stamp (84) or, respectively, in the generated, electronic coin. 

1 1 . Method according to one of the preceding claims, 

25 characterized in that postal matter data characterizing the postal matter (8), 
particularly postal matter data characterizing physical properties of the postal 
matter, are contained in the date stamp (84) or, respectively, the generated 
electronic coin. 

30 12. Method according to claim 1 1 , 
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characterized in that the nature and/or surface structure of the packaging material 
of the postal matter are employed as uniquely characteristic [sic] and/or label data 
located on a label (85) additionally applied to the postal matter are employed as 
postal matter data. 

5 

13. Method for machine franking of postal matter (8), 

whereby postage fees are stored and debited in electronic form as electronic coins 
and whereby a machine-readable date stamp (84) containing the electronic coin is 
applied onto the postal matter (8), whereby an individual electronic coin (84) that 
10 can be differentiated from electronic coins generated for other pieces of postal 

matter is generated and applied onto the postal matter (8), and in fact in such a way 
that an inspection for multiple employment of electronic coins and/or date stamps 
is possible on the basis of the date stamp (84) containing the electronic coin. 

15 14. System for the implementation of the method according to claim 1 , 

with a franking machine (2) for the machine franking of postal matter (8) 
comprising a printing unit (22) for application of a machine-readable, 
potentially encrypted date stamp (84) onto the postal matter (8) and 
comprising a central unit (21) with a fee module (23) for loading, storing 

20 and debiting of postage fees, with a print control module (25) for 

controlling the printing unit (22), and 

with a postage fee device (1 1) for output of postage fee units, and 
with an inspection device (13) for inspecting the date stamp, whereby a 
cryptographic module for the encryption of data for the date stamp is 
25 provided which is configured such that an individual date stamp (84) 

differentiable from the date stamp for other pieces of mail is generated for 
each piece of postal matter (8), and such that the inspection device is 
configured for inspecting for multiple employment of postage fees and/or 
date stamps on the basis of the date stamp (84). 

30 

15. System according to claim 14, 
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characterized in that the date stamp (84) contains the information of an electronic 
coin and the electronic coin is individualized for each franking, such that the 
electronic coins of each franking also differ from one another when the same fee 
value is printed onto the postal matter. 

5 

16. System according to claim 14 or 15, 

characterized in that the inspection device (13) comprises a memory device (14) 
for storing used date stamps or, respectively, used electronic coins. 

10 17. System according to claim 16, 

characterized in that the postage fee device (11) comprises an encryption device 
(12) (cryptography device) for encrypting postage fee units. 

1 8. Franking machine (2) for the machine franking of postal matter (8), 
1 5 comprising a printing unit (22) for applying a machine-readable date stamp 

containing an electronic coin onto the postal matter (8), a central unit (21) with a 
fee module (23) for loading, storing and debiting postage fees, with a print control 
module (25) for controlling the printing unit (22), whereby an individual date 
stamp (84) differentiable from the date stamps generated for other pieces of postal 
20 matter is generated on each piece of mail (8) such that an inspection for multiple 
employment of postage fees and/or date stamps and/or electronic coins is possible 
on the basis of the date stamp (84). 

19. Franking machine according to claim 18, 

25 characterized in that the franking machine is essentially realized by a conventional 
computer with a conventional printer. 



22 



Abstract 



The invention concerns a method for machine franking of postal matter (8) and for 
the inspection of the franking, whereby postage fees are stored and debited in 
electronic form and whereby a fee stamp (83) and a machine-readable date stamp 
(84) containing encrypted data are applied onto the postal matter (8). In order to 
design such a method more cost-effectively, whereby high security demands are 
met at the same time and a realization should be possible on a traditional computer 
with a printer without further additional hardware, it is inventively proposed that 
an individual date stamp (84) differentiable from the date stamps generated for 
other pieces of postal matter is generated for each piece of postal matter (8) and is 
applied onto the piece of mail (8), and that an inspection for multiple employment 
of postage fees and/or date stamps ensues on the basis of the date stamp (84). This 
inspection is preferably realized by comparing a date stamp (84) to be inspected 
with previously used date stamps stored in a data bank. In particular defrauders 
can therewith be identified who, without payment, wish to generate frankings or, 
respectively, employ frankings multiple times, for example by copying. The 
invention also concerns a system for the implementation of such a method as well 
as a correspondingly-fashioned franking machine. 
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